How does the "post/redirect/get" (PRG) pattern improve security? I see the "confirmation through redundancy" principle at play, but I don't understand how they could counter-balance the risks.

As a network developer, I see an opportunity for someone to hijack the request or perform other kinds of man-in-the-middle attacks. If your site isn't loaded over HTTPS, or doesn't mandate the use of cookies, how could this be allowed?
https://en.wikipedia.org/wiki/Post/Redirect/Get

Why do you think it improves security? Where does this claim come from? Wikipedia only talks about protecting against duplicate form submission due to page reload which is not by itself a security issue.
– Steffen UllrichMay 19 '17 at 20:19

But it's not data corruption if a resubmission creates duplicate data. If the system allows duplicate data, it's perfectly valid, it's just not what the user intended. If duplicate data is not allowed, the second submission should raise an error regardless of how the second submission occurred. Either way, the post/redirect/get pattern is to protect the user from unintended behaviour, not to protect the system from unallowed behaviour. Thus, it is a usability issue, not a security issue.
– knbkMay 20 '17 at 13:13

This is a definition-based disagreement we're having. I agree with everything you are saying, except that I'm using the term "corruption" more loosely than you are. Speaking again in very broad & conceptual terms, unintended behavior is the cause of all security vulnerabilities I am aware of. I also wasn't super-clear with my question; I meant: The redirect/refresh portion looks like an opportunity to stage a MITM attack, is it not? But if it is, how do the benefits outweigh the risk?
– Rob TruxalMay 22 '17 at 16:56

1 Answer
1

POST-REDIRECT-GET (RPG) is there to stop the client from submitting the same form 2 times by error when he tries to reload the page for example.

Also, if the client try to navigate to a previous page that is a POST, the browser will often display a blank page which is a poor user experience. By adding the REDIRECT-GET, you won't get this blank page issue.

I don't think it's related in any way to the security of the application as it won't let you do something that you are not supposed to do if you only use POST.

Note

You seem to worry about Man-in-the-middle attack and request hijack, but if you have those kind of problems it's already game over RPG or not. So, if those things are the issue, I would suggest to use https.

"but if you have those kind of problems it's already game over RPG or not. So, if those things are the issue, I would suggest to use https." -- Well put. Although I would classify data-transmission-integrity as a security issue.
– Rob TruxalMay 19 '17 at 21:25